authenticating against local LDAP and Jumpcloud LDAP
I'm new to Freeradius, so I'm looking either for an actual answer on how to do what I need, or to point me towards the right documentation so I can learn enough about how Freeradius config files are processed so that I can figure out the solution on my own. The situation is this: I've got a Freeradius server that successfully authenticates Wifi devices with EAP-TTLS with PAP for the inner tunnel. The system also works for ssh clients with PAM authentication. I set up it myself following different instructions, half-knowing but not really knowing what I was doing. But it works. Recently I set up an LDAP directory in Jumpcloud. Their instructions for integrating with Freeradius also are for PAP within TTLS, and involve making one change in the sites-available/inner-tunnel file: within the authorize{} block, move the following to the bottom of the block update control { Proxy-To-Realm := LOCAL } and insert Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` immediately after the Proxy-to-Realm line. The CheckUser.sh script is just a simple shell script that makes an LDAP query to Jumpcloud and returns a success or fail. Okay, I don't know what "update control" is for. I don't know how the authorize section works, but I made the changes and tested it out and it works fine for my Jumpcloud user. But it doesn't work anymore for my local LDAP users because irying to authenticate all users against jumpcloud. What I'd like is for the local ldap database to be queried first. And if that fails, then to check the Jumpcloud directory. Looking through the inner-tunnel file I see a few references to ldap, but these are all commented out, so I'm not clear how/where the local ldap database is being queried. -- ---
On Feb 15, 2016, at 8:20 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
The situation is this: I've got a Freeradius server that successfully authenticates Wifi devices with EAP-TTLS with PAP for the inner tunnel. The system also works for ssh clients with PAM authentication. I set up it myself following different instructions, half-knowing but not really knowing what I was doing. But it works.
If it works, that's good.
Recently I set up an LDAP directory in Jumpcloud. Their instructions for integrating with Freeradius also are for PAP within TTLS, and involve making one change in the sites-available/inner-tunnel file:
within the authorize{} block, move the following to the bottom of the block update control { Proxy-To-Realm := LOCAL }
That move doesn't do anything useful in your configuration. I'd suggest using the default configuration. Not because your changes are wrong, but because they are pointlessly different.
and insert Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` immediately after the Proxy-to-Realm line.
That's... weird.
The CheckUser.sh script is just a simple shell script that makes an LDAP query to Jumpcloud and returns a success or fail.
Why not just configure LDAP directly in FreeRADIUS? The server has done LDAP for oh, 15 years now. That's just weird. But I'm not surprised, because most third-party documentation is incredibly wrong.
Okay, I don't know what "update control" is for.
$ man unlang This *is* documented.
I don't know how the authorize section works, but I made the changes and tested it out and it works fine for my Jumpcloud user. But it doesn't work anymore for my local LDAP users because irying to authenticate all users against jump cloud.
Exactly.
What I'd like is for the local ldap database to be queried first. And if that fails, then to check the Jumpcloud directory.
That's a bad design. Instead, figure out why the users are different. Read the debug output. Look at User-Names for local users, and for jump cloud users. Are they consistently different? How are they different? Then, write a rule: if (local user) { ldap } else { do jump cloud stuff }
Looking through the inner-tunnel file I see a few references to ldap, but these are all commented out, so I'm not clear how/where the local ldap database is being queried.
If the LDAP calls are commented out, then the local LDAP database isn't being queried. Alan DeKok.
Alan, thanks for your reply. I've got a couple brief questions. On Tue, Feb 16, 2016 at 6:18 AM, Alan DeKok <aland@deployingradius.com> wrote:
That move doesn't do anything useful in your configuration.
It did strike me as odd, so that's good to know.
Why not just configure LDAP directly in FreeRADIUS? The server has done LDAP for oh, 15 years now.
In fact I would like to do this. But I haven't gotten far enough into the documentation to know how. Perhaps just uncommenting the ldap lines in the authorize section is sufficient.
Instead, figure out why the users are different. Read the debug output. Look at User-Names for local users, and for jump cloud users. Are they consistently different? How are they different?
There doesn't appear to be any difference, either is simply a basic username like "test1" "test2". In the debug output they look like this: User-Name = "test2" Perhaps this is something REALMs would help distinguish? Looking through inner-tunnel I see there is a suffix call that tries to determine which realm is provided. In my case, the realm is null for all users. If I were to create jumpcloud usernames with user@something, what would the "suffix" routine do with it, and would I be able to test for this in an if statement? Thanks! --- Michael Martinez http://www.michael--martinez.com
Hi,
In fact I would like to do this. But I haven't gotten far enough into the documentation to know how. Perhaps just uncommenting the ldap lines in the authorize section is sufficient.
thats how to call the LDAP stuff - but you do need to configure the LDAP module too so it knows what server to talk to and how to talk to it etc ;-)
all users. If I were to create jumpcloud usernames with user@something, what would the "suffix" routine do with it, and would I be able to test for this in an if statement?
if you have something in the user-name such as a realm you could just use unlang with a regex to make the match... alan
On Feb 16, 2016, at 2:46 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Why not just configure LDAP directly in FreeRADIUS? The server has done LDAP for oh, 15 years now.
In fact I would like to do this. But I haven't gotten far enough into the documentation to know how. Perhaps just uncommenting the ldap lines in the authorize section is sufficient.
More than that. You have to configure raddb/mods-enabled/ldap with the credentials to your LDAP server.
There doesn't appear to be any difference, either is simply a basic username like "test1" "test2". In the debug output they look like this: User-Name = "test2"
That's a problem. A big one.
Perhaps this is something REALMs would help distinguish?
Yes. Most users should be using email addresses for their identifiers. i.e. "user@my.domain.tld". That way you can easily distinguish users from different domain.
Looking through inner-tunnel I see there is a suffix call that tries to determine which realm is provided. In my case, the realm is null for all users. If I were to create jumpcloud usernames with user@something, what would the "suffix" routine do with it, and would I be able to test for this in an if statement?
Yes. And You'll have to create "jumpcloud" as a LOCAL realm. See raddb/proxy.conf. There are many ways to do this. The simplest way is to describe what you have, and what you want to do . We can then help you create the best configuration. Alan DeKok.
Ok, bit by bit I'm learning how freeradius works and making progress. The suggestion to look at the man page for unlang was very helpful, there's a lot of good information in there. Also the suggestion to test the inner tunnel with "radtest" has been useful. I've gotten a working configuration where my local ldap users are authenticated with PAM and jumpcloud users are authenticated with the little script I mentioned earlier. All this through the inner tunnel in EAP/TTLS-PAP. The way I have set this up is in inner-tunnel I have: if ("%{User-Name}" =~ /jumpcloud/i) { update control { Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` } update reply { Reply-Message = "Hello jumpcloud ldap user" } } If it doesn't match then it defaults to PAM because I have DEFAULT Auth-Type = PAM in the users file. One question: I know Alan and the docs always say not to set the auth type manually. I would like to know how to configure it so it will automatically recognize and configure the user with PAM. I also at Alan's suggestion added the following lines at the end of proxy.conf: realm "jumpcloud" { auth_pool = my_auth_failover } Ok, moving on. I would like to use ldap instead of PAM. So what I did in the inner-tunnel file was uncomment "ldap" in the authorize section, and uncomment Auth-Type LDAP { ldap } in the authenticate section. Then I modified modules/ldap as follows: server = "<ip address>" identity = "cn=Manager,dc=xxxx" password = xxxxxxx basedn = "ou=People,dc=xxxx" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)" then I uncommented the "DEFAULT Auth-Type = PAM" line in users, so that I'm not explicitly setting the auth-type anywhere. Then I run " radtest test2 testing 127.0.0.1:18120 0 xxxxx" and here's what the log shows. It binds to ldap, looks up the user and grabs the password. But bombs out with an error that the Auth-Type isn't set. What am I doing wrong? Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Feb 18 11:43:42 2016 : Info: [ldap] ... expanding second conditional Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{User-Name} -> test2 Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test2) Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: ou=People,dc=xxxx -> ou=People,dc=xxxx Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] attempting LDAP reconnection Thu Feb 18 11:43:42 2016 : Debug: [ldap] (re)connect to <ip>:389, authentication 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] bind as cn=Manager,dc=xxxx/xxxxxx to <ip.>:389 Thu Feb 18 11:43:42 2016 : Debug: [ldap] waiting for bind result ... Thu Feb 18 11:43:42 2016 : Debug: [ldap] Bind was successful Thu Feb 18 11:43:42 2016 : Debug: [ldap] performing search in ou=People,dc=xxxx, with filter (uid=test2) Thu Feb 18 11:43:42 2016 : Debug: [ldap] userPassword -> Password-With-Header == "{crypt}v0EA8plSCTsuk" Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Feb 18 11:43:42 2016 : Info: ++[ldap] returns ok Thu Feb 18 11:43:42 2016 : Info: ++[expiration] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[logintime] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[pap] returns noop Thu Feb 18 11:43:42 2016 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thu Feb 18 11:43:42 2016 : Info: Failed to authenticate the user. Thu Feb 18 11:43:42 2016 : Info: } # server inner-tunnel Thu Feb 18 11:43:42 2016 : Info: Using Post-Auth-Type Reject On Tue, Feb 16, 2016 at 12:53 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 16, 2016, at 2:46 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Why not just configure LDAP directly in FreeRADIUS? The server has done LDAP for oh, 15 years now.
Yes. Most users should be using email addresses for their identifiers. i.e. "user@my.domain.tld". That way you can easily distinguish users from different domain.
Unfortunately jumpcloud doesn't permit an "@" symbol in their usernames. I've submitted a feature request to them to allow this. I've gotten around this meanwhile by creating a username as "user.jumpcloud" On Tue, Feb 16, 2016 at 12:20 PM, <A.L.M.Buxey@lboro.ac.uk> wrote:
Is wpa_supplicant appropriate for this? I downloaded it, but having compile issues so I haven't been able to try it.
what compilation issues? its usually just the libnl/libnl-devel packages
../src/drivers/driver_nl80211.c:17:31: fatal error: netlink/genl/genl.h: No such file or directory compilation terminated. fixed it with apt-get install libnl1 libnl-dev -- --- Michael Martinez http://www.michael--martinez.com
On Feb 18, 2016, at 3:03 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Ok, bit by bit I'm learning how freeradius works and making progress. The suggestion to look at the man page for unlang was very helpful, there's a lot of good information in there. Also the suggestion to test the inner tunnel with "radtest" has been useful.
That's good.
I've gotten a working configuration where my local ldap users are authenticated with PAM
Please no. Please use the LDAP module. PAM has all kinds of problems.
and jumpcloud users are authenticated with the little script I mentioned earlier. All this through the inner tunnel in EAP/TTLS-PAP. The way I have set this up is in inner-tunnel I have:
if ("%{User-Name}" =~ /jumpcloud/i) { update control { Auth-Type := `/bin/bash /opt/RadiusCheck/CheckUser.sh '%{User-Name}' '%{User-Password}'` } update reply { Reply-Message = "Hello jumpcloud ldap user" } }
You should really do instead: suffix if (Realm == "jumpcloud") { update control { Auth-Type := `/opt/RadiusCheck/CheckUser.sh '%{Stripped-User-Name}' '%{User-Password}' } } else { ldap # local users } There's no need to run /bin/bash, if the CheckUser.sh script is executable. And you should key off of realms, like I suggested. And use the Stripped-User-Name, which is the user name without the realm.
If it doesn't match then it defaults to PAM because I have DEFAULT Auth-Type = PAM in the users file.
And don't do that. Just use LDAP in "authorize", and let the server figure it out.
One question: I know Alan and the docs always say not to set the auth type manually. I would like to know how to configure it so it will automatically recognize and configure the user with PAM.
You don't. FreeRADIUS is an *authentication server*. You should have *FreeRADIUS* do authentication. Not anything else.
I also at Alan's suggestion added the following lines at the end of proxy.conf: realm "jumpcloud" { auth_pool = my_auth_failover }
I didn't say that. I suggested: realm jumpcloud { } which make it a local realm. You don't need to proxy the jumpcloud users.
Ok, moving on. I would like to use ldap instead of PAM. So what I did in the inner-tunnel file was uncomment "ldap" in the authorize section, and uncomment Auth-Type LDAP { ldap } in the authenticate section. Then I modified modules/ldap as follows:
server = "<ip address>" identity = "cn=Manager,dc=xxxx" password = xxxxxxx basedn = "ou=People,dc=xxxx" filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})" #base_filter = "(objectclass=radiusprofile)"
then I uncommented the "DEFAULT Auth-Type = PAM" line in users, so that I'm not explicitly setting the auth-type anywhere.
That's good.
Then I run " radtest test2 testing 127.0.0.1:18120 0 xxxxx" and here's what the log shows. It binds to ldap, looks up the user and grabs the password. But bombs out with an error that the Auth-Type isn't set. What am I doing wrong?
Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{Stripped-User-Name} -> Thu Feb 18 11:43:42 2016 : Info: [ldap] ... expanding second conditional Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: %{User-Name} -> test2 Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: (uid=%{%{Stripped-User-Name}:-%{User-Name}}) -> (uid=test2) Thu Feb 18 11:43:42 2016 : Info: [ldap] expand: ou=People,dc=xxxx -> ou=People,dc=xxxx Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Checking Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_get_conn: Got Id: 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] attempting LDAP reconnection Thu Feb 18 11:43:42 2016 : Debug: [ldap] (re)connect to <ip>:389, authentication 0 Thu Feb 18 11:43:42 2016 : Debug: [ldap] bind as cn=Manager,dc=xxxx/xxxxxx to <ip.>:389 Thu Feb 18 11:43:42 2016 : Debug: [ldap] waiting for bind result ... Thu Feb 18 11:43:42 2016 : Debug: [ldap] Bind was successful Thu Feb 18 11:43:42 2016 : Debug: [ldap] performing search in ou=People,dc=xxxx, with filter (uid=test2) Thu Feb 18 11:43:42 2016 : Debug: [ldap] userPassword -> Password-With-Header == "{crypt}v0EA8plSCTsuk" Thu Feb 18 11:43:42 2016 : Debug: [ldap] ldap_release_conn: Release Id: 0 Thu Feb 18 11:43:42 2016 : Info: ++[ldap] returns ok Thu Feb 18 11:43:42 2016 : Info: ++[expiration] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[logintime] returns noop Thu Feb 18 11:43:42 2016 : Info: ++[pap] returns noop Thu Feb 18 11:43:42 2016 : Info: ERROR: No authenticate method
Which version are you running? If it's 2.1.12, stop wasting your time, and upgrade to 3.0. Or even 2.2.9. The PAP module *should* recognize crypt'd passwords and authenticate them.
Unfortunately jumpcloud doesn't permit an "@" symbol in their usernames. I've submitted a feature request to them to allow this. I've gotten around this meanwhile by creating a username as "user.jumpcloud"
So tell your users "user@jumpcloud", configure a "jumpcloud" realm as I suggested, use Stripped-user-Name, and the server will figure it out. Alan DeKok.
On Thu, Feb 18, 2016 at 12:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 18, 2016, at 3:03 PM, Michael Martinez <mwtzzz@gmail.com> wrote: Which version are you running? If it's 2.1.12, stop wasting your time, and upgrade to 3.0. Or even 2.2.9.
Yes I have been running 2.1.12. So I have downloaded 3.0.11 and compiled it. One observation: if ipv6 is not enabled on the system, radiusd refuses to launch, with the following error: Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol Upon doing modprobe ipv6, it launches fine..... ipv6, then, is a requirement for freeradius? -- --- Michael Martinez http://www.michael--martinez.com
On Feb 19, 2016, at 6:58 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
Yes I have been running 2.1.12. So I have downloaded 3.0.11 and compiled it. One observation: if ipv6 is not enabled on the system, radiusd refuses to launch, with the following error: Failed opening auth address :: port 1812 bound to server default: Address family not supported by protocol
Upon doing modprobe ipv6, it launches fine..... ipv6, then, is a requirement for freeradius?
No. If we don't enable IPv6 in the default config, people say that IPv6 doesn't work. If we enable IPv6 in the default config, people ask if IPv6 is required. The configuration files are text for a reason. Edit them, and disable the listener which is for IPv6. It's all in the debug output. Alan DeKok.
On Thu, Feb 18, 2016 at 12:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
Which version are you running? If it's 2.1.12, stop wasting your time, and upgrade to 3.0. Or even 2.2.9.
Success. I upgraded to 3.0.11. Then I got it configured similar to my working 2.1.12 configuration. Then I enabled ldap and tested it with radtest in the inner tunnel. It works and looking through the debug output, I see what it's doing: it's using the ldap module to grab the crypted password, then it uses the PAP module to compare the crypted string of characters with, what I assume it does it run crypt against the plain text password that was entered, and compare the two strings. -- Michael Martinez http://www.michael--martinez.com
On Feb 20, 2016, at 7:56 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
On Thu, Feb 18, 2016 at 12:39 PM, Alan DeKok <aland@deployingradius.com> wrote:
Which version are you running? If it's 2.1.12, stop wasting your time, and upgrade to 3.0. Or even 2.2.9.
Success. I upgraded to 3.0.11.
That's good to hear.
Then I got it configured similar to my working 2.1.12 configuration. Then I enabled ldap and tested it with radtest in the inner tunnel. It works and looking through the debug output, I see what it's doing: it's using the ldap module to grab the crypted password, then it uses the PAP module to compare the crypted string of characters with, what I assume it does it run crypt against the plain text password that was entered, and compare the two strings.
That's what it's supposed to to! Alan DeKok.
On Sat, Feb 20, 2016 at 5:18 PM, Alan DeKok <aland@deployingradius.com> wrote:
On Feb 20, 2016, at 7:56 PM, Michael Martinez <mwtzzz@gmail.com> wrote:
string of characters with, what I assume it does it run crypt against the plain text password that was entered, and compare the two strings.
That's what it's supposed to to! Good to know.
Now that that's out of the way, I can get back to trying to understand how eap-sim is supposed to work (different thread) -- --- Michael Martinez http://www.michael--martinez.com
Another quick question: is there a way for me test eap-ttls/pap from the command line? If I could do this that would be great, because then I wouldn't have to send my colleague down to the location where the access-point is with an iPad every time I need to test a configuration change. Is wpa_supplicant appropriate for this? I downloaded it, but having compile issues so I haven't been able to try it.
Hi,
Another quick question: is there a way for me test eap-ttls/pap from the command line? If I could do this that would be great, because then I wouldn't have to send my colleague down to the location where the access-point is with an iPad every time I need to test a configuration change.
yes, using eapol_test from the wpa_supplicant project (example configs to start with are in the src/tests directory of the source code....) for a full EAP-TTLS/PAP experience..... or you can target the inner-tunnel directly with basic radius test tools - send PAP direct to inner-server local port.
Is wpa_supplicant appropriate for this? I downloaded it, but having compile issues so I haven't been able to try it.
what compilation issues? its usually just the libnl/libnl-devel packages that are needed to ensure compilation. what distro? I believe RH/centos might now be providing eapol_test as part of the RPM now(!) (yay!) alan
participants (3)
-
A.L.M.Buxey@lboro.ac.uk -
Alan DeKok -
Michael Martinez